Breaches and Consumer Backlash

Take the Citi card breach
as Exhibit 1. The global financial corporation revealed this week that its online banking platform, Citi Account Online, likely exposed personally identifiable information about hundreds of thousands of Citibank customers. To date, it's one of the biggest direct hits we've seen a financial institution take, and experts say the hits are likely to keep coming. There's just not much the industry can do to stop or slow the hackers, who seemingly have more time to find security loopholes than institutions have resources to plug.

Citigroup says it discovered unauthorized access to its online system during routine monitoring, and that a limited number of its bank cardholders - only those in North America, which accounts for about 1 percent - were affected. Still, with an overall card customer base of 21 million, exposure of 1 percent is relatively significant.

The lack of a national notification law is the problem, experts say.

Account information, including name, account number and contact information, such as e-mail address, is believed to have been exposed, says Sean Kevelighan, head of communications and public affairs for Citigroup. "The customer's Social Security number, date of birth, card expiration date and card security code [CVV] were not compromised. We are contacting customers whose information was impacted," he said.

That more "sensitive" information may have been protected. But as we've learned from other recent breaches at Google, Sony and e-mail marketing provider Epsilon, how the industry defines "sensitive" may need some tweaking. With names and e-mail address, cyberthieves have all they need to launch well orchestrated phishing attacks that can easily pull from consumers the remaining bits of information needed to launch widespread attacks on consumer and commercial bank accounts.

"The biggest damage for Citi is probably going to be reputational, because the hackers apparently didn't pull enough customer data to commit out-and-out fraud," says Tom Wills, a fraud analyst at Javelin Strategy & Research. "But I won't be surprised to see it used in phishing and other social-engineering attacks - or aggregated with other compromised customer data to commit fraud, which is the bad guys' modus operandi these days."

Now to Exhibit 2: The Michaels Breach, which has led to a second federal lawsuit against the retailer for the point of sale PIN pad skimming scheme that compromised customer payment cards. The suit, which, like the first class action suit, seeks more than $5 million in damages, claims Michaels' notification measures after the breach violated the Federal Stored Communications Act as well as the Illinois Consumer Fraud and Deceptive Practices Act.

The whole case raises more questions about breach notification, an issue that's also been raised in the Citi incident.

Breach notification remains a gray area. Forty-six states have breach-notification laws on the books, but no law is the same, and enforcement is weak. The lack of a national notification law is the problem, experts say. [See Obama Offers Breach Notification Bill.]

But how much good will a national notification law really do? That's debatable. Privacy experts like Neal O'Farrell, founder of the Identity Theft Council, a grassroots network that provides support for victims of identity theft, says proposals for national breach notification, like the one recently offered by the Obama administration, won't have much impact.

"It's very vague," O'Farrell says, and lacks any mention of consumer education and support, as well as a way to classify breaches. [See Battling 'Breach Fatigue'.]

So, while the industry waits for a more substantial and inclusive breach notification proposal, I wonder what steps it will spearhead to ensure banks and retailers don't come under fire for the breaches that will inevitably continue to strike. I suppose customer and employee education would be good first steps, but it's increasingly clear we need to be doing much more.

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.